Assigning A Crypto-List To An Interface - Avaya G250 Administration

The G250/G350 IPSec VPN feature supports NAT Traversal. If your installation includes one or
more NAT devices between the local and remote VPN peers, NAT Traversal should be enabled,
although in some rare cases it may not be required.
Note:
NAT Traversal is enabled by default. Configure NAT-Traversal only if you need to
Note:
re-enable it after it was disabled using the no crypto ipsec
nat-transparency udp-encapsulation command.
NAT Traversal keepalive is also enabled by default (with a default value of 20
seconds). Configure NAT Traversal keepalive only if you need to re-enable it after
it was disabled using the no crypto isakmp nat keepalive command.
To configure NAT Traversal:
1. Enable NAT Traversal by using the crypto ipsec nat-transparency
udp-encapsulation command:
G350-001# crypto ipsec nat-tranparency udp-encapsulation
G350-001# Done!
2. Enable NAT Traversal keepalives and configure the keepalive interval (in seconds), using
the crypto isakmp nat keepalive command, followed by a number between 5 and
3600.
NAT Traversal keepalives are empty UDP packets that the device sends on a periodic basis
at times of inactivity when a dynamic NAT is detected along the way. These keepalives are
intended to maintain the NAT translation alive in the NAT device, and not let it age-out due
to periods of inactivity. Set the NAT Traversal keepalive interval on the G250/G350 to be
less than the NAT translation aging time on the NAT device.
G350-001# crypto isakmp nat keepalive 60
G350-001# Done!

Assigning a crypto-list to an interface

A crypto-list is activated on an interface. You can assign multiple crypto-lists to different
interfaces on the G250/G350.
To assign a crypto-list to an interface:
1. Enter interface context using the interface command.
G350-001# interface FastEthernet 10/2
G350-001(config-if:FastEthernet 10/2)#
Configuring a site-to-site IPSec VPN
Issue 1.1 June 2005 381